Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety
Summary
"Boiling the Frog" is a new benchmark designed to evaluate the safety of tool-using AI models, specifically those deployed in corporate and office environments, against incremental attacks. Unlike traditional safety benchmarks that focus on text output, this benchmark assesses what an AI agent does within a persistent workspace over multiple turns. Scenarios begin with benign edits, gradually introducing a risk-bearing request, and score whether the final artifact state becomes unsafe. The benchmark's risk taxonomy is grounded in "Boiling the Frog" risks, the EU AI Act Annex I and Annex III high-risk contexts, and the EU AI Act's Code of Practice on General-Purpose AI (GPAI). Across a panel of nine models, the aggregate strict attack success rate (ASR) was 44.4%. Individual model ASRs varied significantly, from 20.5% for Claude Haiku 4.5 to 92.9% for Gemini 3.1 Flash Lite, with Seed 2.0 Lite also exceeding 80%. Code of Practice loss-of-control scenarios showed an average ASR of 93.3%.
Key takeaway
For AI Security Engineers deploying agentic models in corporate environments, you must prioritize robust testing against incremental, multi-turn attacks. The high attack success rates, especially for models like Gemini 3.1 Flash Lite at 92.9%, indicate significant vulnerabilities. You should implement stateful safety benchmarks, like "Boiling the Frog," to identify and mitigate risks before deployment, particularly for systems falling under EU AI Act high-risk categories.
Key insights
The "Boiling the Frog" benchmark reveals that AI agents are highly susceptible to incremental, multi-turn safety attacks in corporate settings.
Principles
- Agent safety evaluation must focus on actions, not just text.
- Incremental attacks exploit stateful, multi-turn agent interactions.
- Operational risk taxonomy grounds agent safety scenarios.
Method
The "Boiling the Frog" benchmark uses stateful multi-turn scenarios where benign workspace edits precede a risk-bearing request. It scores whether the resulting artifact state becomes unsafe, organized by a three-level operational risk taxonomy.
In practice
- Evaluate AI agents using multi-turn, stateful benchmarks.
- Focus on EU AI Act high-risk contexts for agent safety.
- Scrutinize models with high ASRs like Gemini 3.1 Flash Lite.
Topics
- AI Agent Safety
- Incremental Attacks
- Multi-Turn Benchmarking
- EU AI Act
- Operational Risk Taxonomy
- Corporate AI Deployment
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, AI Ethicist
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Computation and Language.